How to enable multiple context in the Cisco ASA firewall

Cisco ASA firewall is possibly already configured for multiple security contexts dependent upon how you ordered it from Cisco, but if you are upgrading then you might need to convert from single mode to multiple mode.

The context mode (single or multiple) is not stored in the configuration file, even though it does endure reboots. If you need to copy your configuration to another device, set the mode on the new device to match with the mode command.

When you convert from single mode to multiple mode, the security appliance converts the running configuration into two files: a new startup configuration that comprises the system configuration, and admin.cfg that comprises the admin context (in the root directory of the internal Flash memory). The original running configuration is saved as old_running.cfg (in the root directory of the internal Flash memory). The original startup configuration is not saved. The security appliance automatically adds an entry for the admin context to the system configuration with the name “admin.”

In order to enable multiple mode, enter this command: hostname(config)# mode multiple
You are prompted to reboot the security appliance.

CiscoASA(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
The old running configuration file will be written to flash

The admin context configuration will be written to flash

The new running configuration file was written to flash
Security context mode: multiple

*** Message to all terminals:
*** change mode


Booting system, please wait…
!— output suppressed

INFO: Admin context is required to get the interfaces
*** Output from config line 20, “arp timeout 14400”
Creating context ‘admin’… Done. (1)
*** Output from config line 23, “admin-context admin”

Cryptochecksum (changed): a219baf3 037b31b4 09289829 1ab9790a

*** Output from config line 25, ” config-url flash:/admi…”

Cryptochecksum (changed): d4f0451b 405720e1 bbccf404 86be061c
Type help or ‘?’ for a list of available commands.

Configuring Security Context:

If you do not have an admin context (for example, if you clear the configuration), you must first specify the admin context name when you enter this command:

hostname(config)# admin-context <name>

Although this context name does not exist yet in your configuration, you can subsequently enter the context name command to match the specified name to continue the admin context configuration.
In order to add or change a context in the system configuration, perform these steps:
In order to add or modify a context, enter this command in the system execution space:

hostname(config)# context <name>

The name is a string up to 32 characters long. This name is case sensitive, so you can have two contexts named “customerA” and “CustomerA,” for example. You can use letters, digits, or hyphens, but you cannot start or end the name with a hyphen.
“System” or “Null” (in upper or lower case letters) are reserved names, and cannot be used.

In order to specify the interfaces that you can use in the context, enter the command appropriate for a physical interface or for one or more subinterfaces.
In order to allocate a physical interface, enter this command:

hostname(config-ctx)# allocate-interface <physical interface> [mapped_name] [visible | invisible]

You can enter these commands multiple times to specify different ranges. If you remove an allocation with the no form of this command, any context commands that include this interface are removed from the running configuration.
In order to identify the URL from which the system downloads the context configuration, enter this command:

hostname(config-ctx)# config-url url

Make sure you enter the allocate-interface command(s) before you enter the config-url command. The security appliance must assign interfaces to the context before it loads the context configuration; the context configuration can include commands that refer to interfaces (interface, nat, global…). If you enter the config-url command first, the security appliance loads the context configuration immediately. If the context contains any commands that refer to interfaces, those commands fail.